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Abstract 

This paper proposes rewriting modulo SMT , a new technique that combines the power 
of SMT solving, rewriting modulo theories, and model checking. Rewriting modulo 
SMT is ideally suited to model and analyze infinite-state open systems, i.e., systems 
that interact with a non-deterministic environment. Such systems exhibit both internal 
non-determinism, which is proper to the system, and external non-determinism, which 
is due to the environment. In a reflective formalism, such as rewriting logic, rewriting 
modulo SMT can be reduced to standard rewriting. Hence, rewriting modulo SMT nat- 
urally extends rewriting-based reachability analysis techniques, which are available for 
closed systems, to open systems. The proposed technique is illustrated with the formal 
analysis of: (i) a real-time system that is beyond the scope of timed-automata meth- 
ods and (ii) automatic detection of reachability violations in a synchronous language 
developed to support autonomous spacecraft operations. 


1. Introduction 

Symbolic techniques can be used to represent possibly infinite sets of states by 
means of symbolic constraints. These techniques have been developed and adapted to 
many other verification methods such as SAT solving. Satisfiability Modulo Theories 
(SMT), rewriting, and model checking. A key open research issue of current symbolic 
techniques is extensibility. Techniques that combine different methods have been 
proposed, e.g., decision procedures [33, 34], unifications algorithms [7, 11], theorem 
provers with decision procedures [39, 1, 10], and SMT solvers in model checkers [3, 
23, 32, 45, 47]. However, there is still a lack of general extensibility techniques for 
symbolic analysis that simultaneously combine the power of SMT solving, rewriting- 
and narrowing-based analysis, and model checking. 

This paper proposes a new symbolic technique that seamlessly combines rewrit- 
ing modulo theories, SMT solving, and model checking. For brevity, this technique 
is called rewriting modulo SMT, although it could more precisely be called rewriting 
modulo SMT+B, where B is an equational theory having a matching algorithm. It com- 
plements another symbolic technique combining narrowing modulo theories and model 
checking, namely narrowing -based reachability analysis [31, 8], Neither of these two 
techniques subsumes the other. 
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Rewriting modulo SMT can be applied to increase the power of equational rea- 
soning, e.g., [26, 22, 21], but its full power, including its model checking capabilities, 
is better exploited when applied to concurrent open systems. Deterministic systems 
can be naturally specified by equational theories, but specification of concurrent, non- 
deterministic systems requires rewrite theories [29], i.e., triples R = (L,E,R) with 
(£, E) an equational theory describing system states as elements of the initial alge- 
bra 7 ~v/£, and R rewrite rules describing the system’s local concurrent transitions. An 
open system is a concurrent system that interacts with an external, non-deterministic 
environment. When such a system is specified by a rewrite theory R = (I, E, R), it 
has two sources of non-determinism, one internal and the other external. Internal non- 
determinism comes from the fact that in a given system state different instances of rules 
in R may be enabled. The local transitions thus enabled may lead to completely differ- 
ent states. What is peculiar about an open system is that it also has external, and often 
infinitely-branching, non-determinism due to the environment. That is, the state of an 
open system must include the state changes due to the environment. Technically, this 
means that, while a system transition in a closed system can be described by a rewrite 
rule t—>t' with vars(f) c vars(t), a transition in an open system is instead modeled by 
a rule of the form t(x ) — > where ~y are fresh new variables. Therefore, a 

substitution for the variables x W y decomposes into two substitutions, one, say 6, for 
the variables x under the control of the system and another, say p, for the variables y 
under the control of the environment. In rewriting modulo SMT, such open systems 
are described by conditional rewrite rules of the form tCx ) — > t'Cx,~y) if <p , where <p 
is a constraint solvable by an SMT solver. This constraint (f> may still allow the envi- 
ronment to choose an infinite number of substitutions p for y , but can exclude choices 
that the environment will never make. 

The non-trivial challenges of modeling and analyzing open systems can now be bet- 
ter explained. They include: (1) the enormous and possibly infinitary non-determinism 
due to the environment, which typically renders finite-state model checking impossi- 
ble or unfeasible; (2) the impossibility of executing the rewrite theory R = (£, E, R) 
in the standard sense, due to the non-deterministic choice of p; and (3) the, in gen- 
eral, undecidable challenge of checking the rule’s condition (p, since without knowing 
p, the condition cf>8 is non-ground, so that its /^-satisfiability may be undecidable. As 
further explained in the paper, challenges (l)-(3) are all met successfully by rewriting 
modulo SMT because: (1) states are represented not as concrete states, i.e., ground 
terms, but as symbolic constrained terms ( t ; ip) with t a term with variables ranging in 
the domains handled by the SMT solver and (p an SMT-solvable formula, so that the 
choice of p is avoided; (2) rewriting modulo SMT can symbolically rewrite such pairs 
(t ; tp) (describing possibly infinite sets of concrete states) to other pairs (f ; <p'}\ and (3) 
decidability of (f>6 (more precisely of p A cf>ff) can be settled by invoking an SMT solver. 

Rewriting modulo SMT can be integrated with model-checking by exploiting the 
fact that rewriting logic is reflective [15]. Hence, rewriting modulo SMT can be re- 
duced to standard rewriting. In particular, all the techniques, algorithms, and tools 
available for model checking of closed systems specified as rewrite theories, such as 
Maude’s search-based reachability analysis [14], become directly available to perform 
symbolic reachability analysis on systems that are now infinite-state. 

The technique proposed in this paper is illustrated with the formal analysis of the 


2 



CASH scheduling protocol [13] and formal executable semantics of the Plan Execution 
Interchange Language (PLEXIL) [20], The CASH protocol specifies a real-time sys- 
tem whose formal analysis is beyond the scope of timed-automata [2]. The language 
PLEXIL is a safety-critical synchronous language developed by NASA to support au- 
tonomous spacecraft operations. 

This manuscript is an extended and revised version of [43]. The extension and 
revision include: 

• Complete proofs of all results in sections 3 and 4. 

• New short examples illustrating some technical definitions and results in Sec- 
tion 3. 

• A new case study in Section 7 on automatically detecting symbolic reachability 
violations. 

2. Preliminaries 

Notation on terms, term algebras, and equational theories is used as in [6, 24], 

An order-sorted signature £ is a tuple £=(.S - , <, F) with a finite poset of sorts ( S , <) 
and set of function symbols F. The binary relation s< denotes the equivalence relation 
generated by < on S and its point-wise extension to strings in S*. The function symbols 
in F can be subsort-overloaded and satisfy the condition that, for w, w' e S* and ,v, s' e 
5, if / : w — > s and / : w’ — > s' are in F, then w =< W implies s =< s'. A top sort 
in £ is a sort s e S such that if s' e S and s s< s ' , then s' < s. For any sort s e S , the 
expression [s] denotes the connected component of s, that is, [,v] = [,v]= < . 

Let X = [X,} i£ s denote an S -indexed family of disjoint variable sets with each 
X s countably infinite. The set of terms of sort s and the set of ground terms of sort s 
are denoted, respectively, by Ty(X) s and T-^y, accordingly, Ty(X) and T y denote the 
corresponding order-sorted 2. -term algebras. All order-sorted signatures are assumed 
preregular [24], i.e., each £-term t has a least sort ls(t) e S s.t. t e Ty(X)i s ( t) . It is also 
assumed that £ has nonempty sorts, i.e., Ty s + 0 for each s e S . For S'cS,a term is 
called S '-linear if no variable with sort in S ' occurs in it twice. The set of variables of 
t is written vars(t). 

A substitution is an S -indexed mapping 6 : X — > Ty(X) that is different from 
the identity only for a finite subset of X. The identity substitution is denoted by id 
and 8\ y denotes the restriction of 8 to a family of variables Y c X. The domain of 
8, denoted dom(8), is the subfamily of X for which 8(x) + x , and ran(8) denotes the 
family of variables introduced by the terms 8(x), such that x e dom(8). Substitutions 
extend homomorphically to terms in the natural way. A substitution 8 is called ground 
iff ran(8) = 0. The application of a substitution 8 to a term t is denoted by t6 and the 
composition (in diagramatic order) of two substitutions 8\ and 82 is denoted by 8\ 82, 
so that td\82 denotes {t8\)82- A context C is a d-term of the form C = Ax 1 , . . . ,x n .c 
with c e Ty(X) and {xi,...,x„} c vars(c); it can be viewed as an n-ary function 
C(t\ , . . . , t„) — c6, where 8(xj) = tj for 1 < i < n and 8(x) = x otherwise. 

A £- equation is an unoriented pair t = u with t e Ty(X) Sl , u e 7y(A) Vv , and 
s, =< s u . A conditional Y-equation is a triple t = u if y, with t = u a £-equation 
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and y a finite conjunction of E-equations; a E-equation is called unconditional if y 
is the empty conjunction. An equational theory is a tuple (E, E), with E an order- 
sorted signature and E a finite collection of (possibly conditional) E-equations. It is 
assumed that Tz, s + 0 for each s e S . An equational theory & = (E, E) induces the 
congruence relation =g on 7 v(A) defined for t.u e 7 v(A) by t =g u iff £ I- t = u 
by the deduction rules for order-sorted equational logic in [30]. Similarly, =|. denotes 
provable fi-equality in one step of deduction. The S-subsumption ordering <3Cg is the 
binary relation on Ty_(X) defined for any t, u e 7 v(A) by t <Sg u iff there is a substitution 
9 : X — > Tt(X) such that t =g u6. A set of equations E is called collapse-free for a 
subset of sorts S' c S iff for any t = u e E and for any substitution 6 : X — » 7 v(A) 
neither t6 nor u6 map to a variable having some sort s e S'. The expressions 7~&(X) and 
Ts (also written 7 ~- 2 / E (X) and T 2 /e) denote the quotient algebras induced by =g on the 
term algebras T\(X) and T z, respectively; Tz/e is called the initial algebra of (E, E). 
A theory inclusion (E, E) c (E', E'). with E c E' and E c E' , is called protecting iff the 
unique E-homomorphism Ty/e — * ‘T'L'/e' Ii to the E-reduct of the initial algebra Tf'/E' 
is a E-isomorphism, written Tz/e — Ty.'/e' Ie- A set of equations E is called regular iff 
vars(t) — vars(u) for any equation ( t = u if y) e E. 

Appropriate requirements are needed to make an equational theory & admissible , 
i.e., executable in rewriting languages such as Maude [14]. In this paper, it is as- 
sumed that the equations of & can be decomposed into a disjoint union £WB, with 
B a collection of regular and linear structural axioms (such as associativity, and/or 
commutativity, and/or identity) for which there exists a matching algorithm modulo B 
producing a finite number of /(-matching solutions, or failing otherwise. Furthermore, 
it is assumed that the equations E can be oriented into a set of (possibly conditional) 
strongly deterministic [35], sort-decreasing, operationally terminating, confluent, and 
strictly /(-coherent [19] conditional rewrite rules E modulo B. The conditional rewrite 
system E is sort decreasing modulo B iff for each (t — » u if y) e E and substitution 9 . 
ls(t9) > ls(u9) if (E, B . E) b y9. The system E is operationally terminating modulo B 
iff there is no infinite well-formed proof tree in (E, B . E). Furthermore, E is confluent 
modulo B iff for all t, t\,t 2 e 7\(A), if t —>* E / H t\ and t ~^>* E / B ti, then there is u e Tz(X) 
such that t\ -^>* E / B u and f 2 ~^* E / B u - The term t Ie/b^ T%(X) denotes the E-canonical 
form of t modulo B so that t — t { E /b and t{ E /B cannot be further reduced by —* E /b- 
Under the above assumptions t Ie/b is unique up to /(-equality. 

A E-rule is a triple / — > r if <f>, with l,r e 7 v(A) s , for some sort s e S. and 
</> = /\ ieI tj = Uj a finite conjunction of E-equations. A rewrite theory is a tuple 'R = 
(E, E , R) with (E, E) an order-sorted equational theory and R a finite set of E-rules. The 
rewrite theory R induces a rewrite relation — on 7v(A) defined for every t, u e 7 v(A) 
by t u iff there is a rule (/ — > r if <f>) € R and a substitution 9 : X — > Tz(X) 
satisfying t = E 19. u = E r9. and E b d)9. The relation — is undecidable in general, 
unless conditions such as coherence [46] are given. A key point of this paper is to 
make such a relation decidable when E decomposes as tf W /( i , where <5 (l is a built-in 
theory for which formula satisfiability is decidable and If has a matching algorithm. 
A topmost rewrite theory is a rewrite theory ‘R - (E, E. R). such that for some top sort 
State, no operator in E has State as argument sort and each rule / — » r if </> e R satisfies 
l, re Tz(X) s,at e and / £ X. 
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3. Rewriting Modulo a Built-in Subtheory 

This section introduces the concept of rewriting modulo a built-in equational sub- 
theory and presents its main properties. 

Definition 1 (Signature with Built-ins). An order-sorted signature X = ( S,<,F ) is a 
signature with built-in subsignature Xq c X iffiZ o = (Sq.Fq) is many-sorted, So is a set 
of minimal elements in (S , <), and iff : w — > s 6 F then s £ So and f has no other 
typing in Fq, where F\ — F\Fq. 

The notion of built-in subsignature in an order-sorted signature X is modeled by a 
many-sorted signature X ( ) defining the built-in terms Tz o (A'd). The restriction imposed 
on the sorts and the function symbols in X w.r.t. Xo provides a clear syntactic distinction 
between built-in terms (the only ones with built-in sorts) and all other terms. 

Example 1. Consider the following order-sorted signature in the syntax of Maude: 

sorts Nat AttributeName Attribute AttrSet . 
op 0 : -> Nat . 
op s_ : Nat -> Nat . 

ops maxBudget timeToDeadline : -> AttributeName . 
op : AttributeName Nat -> Attribute . 

op mt : -> AttrSet . 

op : AttrSet AttrSet -> AttrSet [assoc comm id: mt] . 

This signature models a multiset of named attributes similar to the ones that are cur- 
rently employed in algebraic object-like specifications. Sort Nat specifies natural num- 
bers in Peano notation and sort AttributeName attribute names. A named attribute in 
Attribute is term AN | -> N with AN an attribute name and N a natural number. Sort 
AttrSet specifies multisets of named attributes with multiset union denoted by ‘ , ’ and 
with identity ‘id’. The following is a term in AttrSet denoting that maxbudget is 2 
and timeToDeadline is 1: 

maxbudget |-> s(s(Q)), timeToDeadline |-> s(0) 

In this case, the many-sorted signature Xo = ({Nat}, {0, s}) is a built-in subsignature of 

the order-sorted signature. Finally, F\ includes all function symbols in the signature 
except for those in the set { 0, s). 

If X 3 Xo is a signature with built-ins, then an abstraction of built-ins for t is a 
context Axi ■ ■ ■ x n .t° such that f e T^fX) and {xi,...,x„} = vars(t ° ) n Xq, where 
Zi = (S , <, F\ ) and Xq = {2fs} s& s 0 . Lemma 1 shows that such an abstraction can be 
chosen so as to provide a canonical decomposition of t with useful properties. 

Lemma 1. Let X be a signature with built-in subsignature X 0 = (Sq,Fq). For each 
t e Tx(X), there exist an abstraction of built-ins Ax i ■ • ■ x„.t° for t and a substitution 
6° : Xq — » Tz 0 (Xo) such that (i) t — t°9° and (ii) dom(9 ° ) = {xi, . . . ,x„ } are pairwise 
distinct and disjoint from vars(t); moreover, (Hi) f can always be selected to be So- 
linear and with {xi, . . . , x„} disjoint from an arbitrarily chosen finite subset Y ofX q. 

Proof. By induction on the structure of t. □ 
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In the rest of the paper, for any t e T\(X) and Y c X (l finite, the expression 
abstracts ft , Y ) denotes the choice of a triple (Ax i • • • x„.t° ; 8 ° ; <p ° ) such that the con- 
text Ax\ ■ ■ ■ x„.t° and the substitution 8° satisfy the properties (i)-(iii) in Lemma 1 and 

<t>° = A7=i (*/ = 0°(*/)). 

Example 2. Let t be the term 

maxbudget | -> s(s(Nl :Nat)) , timeToDeadline | -> s(N2:Nat), AttS:AttrSet 

in the signature of Example 1, where N1 ,N2 are variables of sort Nat and AttS is a 
variable of sort AttrSet. Consider the term f 

maxbudget | -> N3:Nat, timeToDeadline |-> N4:Nat, AttS: AttrSet 

and the substitution 8° defined by 0°(N3) = s(s(Nl)), 0°(N4) = s(N2), and 0°(x) = x 
otherwise. Then the context dN3, N4.f° is an abstraction of built-ins for t and 8° satisfies 
properties (i)-(iii) in Lemma 1. Moreover, for any set Y not containing variables N3 
or N4, f and 6° satisfy abstract ^ ( t , T) = (Ax i • • • x n .f ; 8 ° ; f°) with <p° denoting the 
constraint 

N3 = s(s(Nl)) A N4 = s(N2). 

Under certain restrictions on axioms, matching a E-term t to a E-term u can be 
decomposed modularly into Ei -matching of the corresponding /(-abstraction and Eo- 
matching of the built-in subterms. This is described in Lemma 2, with the help of 
Corollary 1. 

Corollary 1. Let E = (S ,<, F) be a signature with built-in subsignature So = ( S o, Fq). 
Let Bo be a set ofLo-axioms and B\ a set of E | -axioms. For Bq and B\ regular, linear, 
collapse free for any sort in So, and sort-preserving, and t e Tz(X o): 

(a) if t e Tj; 0 (2fo) and t =j j t', then t = f ; 

(b) ift e (Xq) and t t', then t = t' ; 

(c) ift e (Xo) and t f , then vars(t) — vars(t') and t is linear iff t' is so; 

Proof. 

(a) Axioms B\ do not mention any function symbol in Fq. Therefore, the equation in 
Bq can only apply to variables in Xo. But B\ is collapse-free for any sort in .S’o. 
Therefore, no B\ equation can be applied to t, forcing t — f . 

(b) Same argument as (a). 

(c) Consequence of B\ being regular and linear. 


□ 

Lemma 2. Let E = (S,<,F) be a signature with built-in subsignature Eo = (So,Fq). 
Let Bo be a set ofLo-axioms and B\ a set of E | -axioms. For Bq and B\ regular, linear, 
collapse free for any sort in So, and sort-preserving, if t € T-^fX o) is linear with 
vars(t) — {xi, . . . , x n }, then for each 8 : Xo — * Tz 0 (Xq): 
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(a) if tO =]j o t', then there exist x e [x\, , , . ,x„} and w e 7V 0 (2(o) such that 0(x) w 
and t' = tO’ , with O'(x) = w and O' (y) = 0(y ) otherwise; 

(b) if tO =g t', then there exists v e Tj^CXo) such that t =J J| v and t' — vO; and 

(c) if tO =b 0 vb 1 t', then there exist v e r^CXo) and O' : Xq — > T-e 0 (Xq) such that 
t' = vO', t =b, v, and 0 -b„ O' (i.e., 0(x) -b 0 O'(x) for each x e Xq). 

Proof (a) It follows from Corollary 1 part (b) that Bq can only be applied on some 
built-in subterm 0(x) of tO , for some x e dom(O). That is, there is w e T-^ 0 (X o) such 
that 0(x) w and, since t is linear, t' - tO', where 0\x) = w and 0'(x) = 0(x) 
otherwise. 

(b) It follows from Corollary 1 part (c) that equational deduction with B\ can only 
permute the built-in variables in t and it does not equate built-in subterms such as 
the ones in ran(O). Hence, by Corollary 1 part (c), there exists a linear v e T\ x (Xq) 
such that t =L v and t' = vO. 

o\ 

(c) Follows by induction on the proof’s length in Bq W B\ . 

□ 

Definition 2 (Rewriting Modulo a Built-in Subtheory). A rewrite theory modulo the 
built-in subtheory Sq is a topmost rewrite theory 'R = (E,E,R) with: 

(a) 2.=(S , <, F ) a signature with built-in subsignature £o=(S(), and top sort StateeS ; 

(b) E — Eq W Bq W B{, where Eq is a set of1.Q-equations, Bq ( resp., B\ ) are Zg-axioms 
(resp., Y.\-axioms) satisfying the conditions in Lemma 2, &q = (Zq,Eq W Bq) and 
& = (2, E) are admissible, and the theory inclusion So £ £ is protecting; 

(c) R is a set of rewrite rules of the form l{x\,y) — > r(x 2 , y) if cf>(x 3 ) such that 
l,r e Tz(X)state, l is ( S \ So)-linear, Xj'.Sj with Sj 6 S* w for i e {1,2, 3}, y : s with 
s e ( S \S 0 )*, and f e QF^ 0 {Xq), where QF^ 0 (Xq) denotes the set of quantifier- free 
l,Q-formulas with variables in Xq. 

Note that no assumption is made on the relationship between the built-in variables 
3ci in the left-hand side, xt in the right-hand side, and T? in the condition f of a rewrite 
rule. This freedom is key for specifying open systems with a rewrite theory because, 
for instance, X 2 can have more variables than x\. On the other hand, due to the presence 
of conditions f in the rules of 'R that are general quantifier-free formulas, as opposed 
to a conjunction of atoms, properly speaking R is more general than a standard rewrite 
theory as defined in Section 2. 

The binary rewrite relation induced by a rewrite theory R modulo £0 on Testate is 
called the ground rewrite relation of R. 

Definition 3 (Ground Rewrite Relation). Let R = (2, E, R) be a rewrite theory modulo 
&q. The relation — induced by R on Testate is defined for t,u e Testate by t — u iff 
there is a rule l — > r if <p in R and a ground substitution cr : X — > Is such that (a) 
t -e Icr, u =e rcr, and (b) Tg,, h fcr. 
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The ground rewrite relation — is the topmost rewrite relation induced by R mod- 
ulo E on Testate- This relation is defined even when a rule in R has extra variables in its 
right-hand side: the rule is then non-deterministic and such extra variables can be arbi- 
trarily instantiated, provided that the corresponding instantiation of (p holds. Also, note 
that non-built-in variables can occur in /, but (/>cr is a variable-free formula in QFt(%), 
so that either T Bq |= (per or 7s 0 ft (per. 

A rewrite theory R modulo tf always has a canonical representation in which all 
left-hand sides of rules are .S'o-lincar X] -terms. 

Definition 4 (Normal Form of a Rewrite Theory Modulo So)- Let R = (X, E, R) be a 
rewrite theory modulo Its normal form R° - (X, E, R°) has rules: 

R° = { 1° rif <p A(p° \ ( 3 / — > r if (f> e R)(Fx .1 ° ; 9° ; (f>° ) = abstracted vars({l, r, 0}))}. 


Lemma 3 (Invariance of Ground Rewriting under Normalization). Let R = (X, E, R) 
be a rewrite theory modulo So- Then — >•/? = 

Proof It is shown that — c — and £ ->R. 

(c) Let t,u e Testate- If t ~~>K k> then there is a rule (/ — > r if <p) e R and a ground 
substitution cr : X — > TV such that t =e ler, u = E rcr, and T Bo ft (per. It suffices 
to prove t — u with witnesses (T — > r if <p A <p°) e R° and p = 9°cr. Note 
that t =e ler — l°9°cr = l°p. For T Bo ft (</> A <p°)p first note that 7g 0 ft <pp since 
<pp = <p9°cr = fcr (because vars(cp) n dom(6° ) = 0) and 7g 0 |= (per by assumption. 
For T Bo |= (p°p notice that 9° 6° = 9° because ran(9° ) n dom(9° ) = 0, and then: 


P = 


(\ x< = 9° (xf) 


\i= 1 


P = 


f\ XiP - 9° (Xj)p = 
i= 1 


f\ 0°{xi)(T = 6°(xi)6°cr 

i=i 


n 

= f\ 0°(xi)cr = 6°(xi)cr = T. 
i= 1 


Hence, t — u. 

(2) Let t, u e Testate- If t m> then there is a rule (l —> r if </;) e R and a ground sub- 
stitution cr : X — > Tt such that 1 = E Ter, u - E rcr, and T Bo ft {(p A (p°)cr. It suf- 
fices to prove t — u with witness (/ — » r if (p ) e R. Let (Ax i ■ ■ ■ x n .l° ; 9° ; <p° ) be 
the abstraction of built-ins for I. Substitution cr can be decomposed into substi- 
tutions 9 : Xq — > Tz 0 (X o) and p : X — > 7V, with O(x) = cr(x) if x e {xi, . . . , x„) 
and 9(x) = x otherwise, such that cr = 9p. From 7g 0 ft (<p A <p°)cr it follows that 
Tfi,, |= (per, i.e., 7g 0 1= (pp because vars(<p) n dom(9) = 0. Also, it follows that 
7g 0 ft A"=i 0( x i)P ~ 6°(xi)p, which implies that: 

1 =E l°cr - T9p =E 0 VB 0 T 9° p = Ip. 


Hence, t ->-/{ u. 



By the properties of the axioms in a rewrite theory modulo built-ins R = (E, Eq i±J 
Bq W B\) (see Definition 2), /i| -matching a term t e T^(Xq) to a left-hand side 1° of a 
rule in R° provides a complete unifiability algorithm for ground B \ -unification of t and 
1°. 

Lemma 4 (Matching Lemma). LetR = CL, E {) i+J B () 't! If. R) be a rewrite theory modulo 
£o- For t e TffX f)state an d 1° a left-hand side of a rule in R° with vars(t) Pi vars(l°) = 0, 

t« Bl l° iff GU B ft = f) + % 

where GU B ft = 1°) = {cr : X — > Tz \ ter = Bl l°cr}. 

Proof 

(=>) If t 1°, then t =b , l°6 for some 6 : X — > TffX). Let p : X — > Tj, 
be any ground substitution, which exists because X has nonempty sorts. Then 
Op G GU b , (t = 1°). 

(<=) Let cr e GU B ft = 1°) with Z — > r if f € R. Let vars(l ° ) n Xq = {xi, . . . ,x„) and 
X\ — X \ Xq. Note that there are substitutions 

a : vars(l ° ) n X\ — > T-^fX o) 
p : X \ dom(a) — > T £ 

satisfying cr = ap and such that (Pa) e T-^fX o) is linear and 
ran(l° a ) fl ( vars(t , Z°)) = 0. 

Let ran(a) = {yi, . . . ,y m ). Therefore, by Lemma 2, there exists u e Tv^Xo) 
such that u = b , l°a, u is linear, and vars(u) - vars(Pa) — x\, . . . , x„,y i, . . . ,y m , 
and up = t. Moreover, t can be written as u(t\ , . . . , t„, t n+ \ , . . . , t n+m ) with t\ e 
T^fXf). Define 6 : X 0 — > T Zll (X 0 ) by 6(x) = tj if x e {x, , . . . , x n ), 0(x) = t i+n if 
x e {_y i , . . . ,y m }, and 0(x) = x otherwise. Then we have: 

t — u(t l , . . . , f/i , t n + 1 , . . . , t m + n ) 

= u(xi,...,x n ,yi,...,y m )0 
= Bl l°aO. 


Therefore, t <s Bl 1° . 


□ 


4. Symbolic Rewriting Modulo a Built-in Subtheory 

This section explains how a rewrite theory 'R modulo <5 () defines a symbolic rewrite 
relation on terms in Ty. 0 (Xq) state constrained by formulas in QF^fX o). The key idea is 
that, when So is a decidable theory, transitions on the symbolic terms can be performed 
by rewriting modulo B\, and satisfiability of the formulas can be handled by an SMT 
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decision procedure. This approach provides an efficiently executable symbolic method 
called rewriting modulo SMT that is sound and complete with respect to the ground 
rewrite relation of Definition 3 and yields a complete symbolic reachability analysis 
method. 

Definition 5 (Constrained Terms and their Denotation). Let R — (2, E, R) be a rewrite 
theory modulo Sq. A constrained term is a pair (t ; (p) in T^(Xo) Stale x QFjAX o). Its 
denotation is defined as [[fj^ = {t'&Tystate I (3cr : Xq — >Ty 0 ) t’-tcr A 7s 0 |= i per). 

The domain of <x in Definition 5 ranges over all built-in variables Xq and conse- 
quently [r]]^ c Testate for any t e T^(Xo) Stale , even if vars(t ) $£ vars(p). Intuitively, 
denotes the set of all ground states that are instances of t and satisfy p. 

Before introducing the symbolic rewrite relation on constrained terms induced by a 
rewrite theory R modulo So, auxiliary notation for variable renaming is required. In the 
rest of the paper, the expression fresh-vars(Y), for Y c X finite, represents the choice 
of a variable renaming f : X — > X satisfying Y fi ran{£) = 0. 

Definition 6 (Symbolic Rewrite Relation). Let R — (2, E, R) be a rewrite theory mod- 
ulo built-ins So. The symbolic rewrite relation induced by R on Ty(Xo)srate x 
QF'i.JXo) is defined for t,u e Ty(X 0 ) state and p,p’ e QF^fiX 0 ) by ( f,ip ) (u ;<p') 
iff there is a rule l — > r if (f> in R and a substitution 8 : X — > Ty(X) such that (a) 
t = E lifO and u = rifd, (b) So H ip’ <=> p A and (c) p' is T& a - satisfiable, where 
C, = fresh-vars(vars(t, p)). 

The symbolic relation on constrained terms is defined as a topmost rewrite 
relation induced by R modulo E on Ty(Xo) with extra bookkeeping of constraints. Note 
that p' in (t ; p) (u ; p'), when witnessed by Z — > r if (f> and 8, is semantically 
equivalent to pKfitfQ, in contrast to being syntactically equal. This extra freedom allows 
for simplification of constraints if desired. Also, such a constraint p’ is satisfiable in 
T &0 , implying that p and cf>8 are both satisfiable in Tg,, , and therefore p 0 p [[w 
Note that, up to the choice of the semantically equivalent p’ for which a fixed strategy is 
assumed, the symbolic relation is “deterministic”, in the sense of being determined 
by the rule and the substitution C8, because the renaming of variables in the rules is 
fixed by fresh-vars. This is key when executing as explained in Section 5. 

The important question to ask is whether this symbolic relation soundly and com- 
pletely simulates its ground counterpart. The rest of this section affirmatively answers 
this question in the case of normalized rewrite theories modulo built-ins. Thanks to 
Lemma 3, the conclusion is therefore that soundly and completely simulates —>k 
for any rewrite theory R modulo built-ins So- 

The soundness of w.r.t. is stated in Theorem 1. 

Theorem 1 (Soundness). Let R = (2, E, R) be a rewrite theory modulo built-ins So, 
t,u e Ty(Xo)state, and p,p' e QFy 0 (A 0 ). If(P,p) { u',p then tp up for all 

p\Xo — > Ty 0 satisfying T &0 |= p'p. 

Proof. Let p : Xo — » 7\ 0 satisfy |= p'p. The goal is to show that tp — up. 
Let 1° — > r if f e R° and 8 : Xq — > Ty 0 (X o) witness (t',p) {u\p'). Then 

t -e l°£6, u = E rtf8, So I- {p' <=> p A f>tf8 ), and p' is 7£ 0 -satisfiable. Without loss 


10 



of generality assume dom(6 ) = vars(l°f) and 6\ va r S (t,ip) = id, and let cr = £8p. Then 
note that tp = E (l°f8)p = PfOp = Per and up =e (rf8)p = rfOp = rcr. Moreover, 
Tg „ N (¥>'<=> <P A 0£0) and |= tp’ p imply T Eo |= <pf6p, i.e., T a , |= (per. Therefore, 
tp — up, as desired. □ 

The completeness of '-^> R w.r.t. — is stated in Theorem 2. Intuitively, complete- 
ness states that a symbolic relation yields an over-approximation of its ground rewriting 
counterpart. 

Theorem 2 (Completeness). Let R = ( T.,E,R ) be a rewrite theory modulo built-ins 
&o, t e Tz(Xo)st ate , u' e Testate, and tp e QF^iX 0 ). For any p : X 0 — > T^ 0 such 
that tp e and tp — u' , there exist u e T^Xq) state and tp' e QF^Xq) such that 
{ t ; tp) { u ; tff) and u' e 

Proof. By the assumptions there is a rule (P — > r if <!>) e R and a ground substitution 
cr : X — » satisfying tp = E Per, u’ = E rcr, and r T Eo |= (per. Without loss of 

generality assume vars(t,ip ) n vars(l°, r, <p)) = 0; otherwise l,r,ep can be renamed by 
means of fresh-vars. Furthermore, since vars(t,tp ) n vars(l°,<p)) — 0, cr — p can be 
assumed. The goal is to show the existence of u e Tz(X)s, a t e and tp' e QF-^fX o) such 
that (i) (t;ip) ( u and (ii) u' e [uj^. Since P is linear and built-in subterms 
are variables, by Lemma 2 there exists a : X — » 1\_ satisfying ta -a, Pa. Hence 
GUsft — P) + 0 and, by Lemma 4, there exists 6' : X — * T £ (2f) satisfying t = Bl Pff 
and a fortiori t = Eo \tiB 0 aB, l°8'- Let 8 : X — > T?,(X) be defined by 0(x) = ff(x) if 
x e vars(l) and 8(x) = p(x) otherwise. Note that 8\ vars (j)P =E 0 ntB 0 p\varsd)- Define u = rd 
and tp' — tp A <pQ , and then for (i) and (ii) above: 

(i) It suffices to prove that T g 0 |= tp'p, i.e., 7g 0 (= ( tp/\ep9)p . By assumption T Eo N VP 
and T Eo 1= epp. Notice that: 

epdp - (i (p6\vars(l))p =E 0 VBo (fp)P = <PP- 

Hence 7g 0 |= ep8p. 

(ii) By assumption it' =E 0 tnB 0 vB l rp ; also: 

r P =E 0 VB 0 VB I t~6\ va rs(J)P = r 0p = tip. 


Hence u' =e<&b 0 isb 1 up e \u\, by part (i). 


□ 

Although the above soundness and completeness theorems, plus Lemma 3, show 
that — is characterized symbolically by for any rewrite theory R modulo <5 (l , 
the relation ~^ R , is in general undecidable because of Condition (c) in Definition 6. 
However, ~^ R , becomes decidable for built-in theories tf that can be extended to a 
decidable theory (typically by adding some inductive consequences and the order 
on natural numbers) such that 

(V0 e QF-sfX 0 )) ep is £o-satisfiable <=> Per : X 0 — > 7%) T Ea |= (per. (1) 
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Many decidable theories £g of interest are supported by SMT solvers satisfying this 
requirement. For example, So can be the equational theory of natural number addition 
and <5 q Pressburger arithmetic. That is, Te 0 is the standard model of both So and £f, 
and SJ -satisfiability coincides with satisfiability in such a standard model. Under such 
conditions, satisfiability of p A <pif8 (and therefore of < p') in a step (t ; p) (u ; p') 
becomes decidable by invoking an SMT-solver for So, so that can be naturally 
described as symbolic rewriting modulo SMT (and modulo If). 

The symbolic reachability problems considered for a rewrite theory R modulo So 
in this paper, are existential formulas of the form (3~z) t — >* uAp, with - ? the variables 
appearing in t, u , and p, t,u e 7V(X o)s ffl / c , and ip e QF^ o (X o). By abstracting the Eo _ 
subterms of u, the ground solutions of such a reachability problem are those witnessing 
the model-theoretic satisfaction relation 

T k |= (3x W^y) tfx) ->* ufy ) A p^Cx) A p -dfxfy), (2) 

where T<r = (Ty./e, — is the initial reachability model of R [12], t e T^(Xq) and 
ir e 7 v, (X) are .S' o-l inear, vars(t) c % c Xo, and y cl. Thanks to the soundness and 
completeness results. Theorem 1, and Theorem 2, the solvability of Condition (b) for 
— can be achieved by reachability analysis with as stated in Theorem 3. 

Theorem 3 (Symbolic Reachability Analysis). Let R = (£, E, R) be a rewrite theory 
modulo built-ins So- The model-theoretic satisfaction relation in (2) has a solution 
iff there exist a term v e T\ j (X)s tate , a constraint p' e QF-^AXf), and a substitution 
8 : X — > Tt(X), with dom(8 ) c ~y, such that (a) {t\p i) ( v\p' ), ( b ) v -b x u°8, 

and (c) p' A pfd is T& Q - satis ftable. 

Proof By theorems 1 and 2, and induction on the length of the rewrite derivation. □ 

In Theorem 3, since dom(8 ) c y , and x and y are disjoint, the variables of x in 
piO are left unchanged. Therefore, pft links the requirements for the variables a in 
the initial state and v in the final state according to both p\ and pi. Also note that the 
inclusion of formula p\ as a conjunct in the formula in Condition (c) of Theorem 3 is 
superfluous because (t;p\) (v,p') implies that p\ is a semantic consequence of 

'/• 

5. Reflective Implementation of -^>n< 

This section discusses the design and implementation of a prototype that offers 
support for symbolic rewriting modulo SMT in the Maude system. The prototype relies 
on Maude’s meta-level features, that implement rewriting logic’s reflective capabilities, 
and on SMT solving for £ 0 integrated in Maude as CVC3’s decision procedures. The 
extension of Maude with CVC3 is available from the Matching Logic Project [44]. In 
the rest of this section, R = (2, Eq W Bq i±J B\ , R ) is a rewrite theory modulo built-ins So, 
where So satisfies Condition (1) in Section 4. The theory mapping R t-» u(7?) makes 
the rules unconditional by removing the constraints <l> in the conditions of the rules in 
R. 
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In Maude, reflection is efficiently supported by its META-LEVEL module [14], 
which provides key functionality for rewriting logic’s universal theory 'Ll [15]. In 
particular, rewrite theories R are meta-represented in El as terms R of sort Module , 
and a term t in R is meta-represented in El as a term t of sort Term. The key idea of 
the reflective implementation is to reduce symbolic rewriting with to standard 
rewriting in an associated reflective rewrite theory that extends the universal theory El. 
This reduction is specially important for formal analysis purposes, because it makes 
available to some formal analysis features provided by Maude for rewrite theo- 
ries such as reachability analysis by search. This is illustrated by the case studies in 
sections 6 and 7. 

The prototype defines a parametrized functional module SATCLq, T’oW/io) of quantifier- 
free formulas with Eo-equations as atoms. In particular, this module extends (So, To W 
Bq) with new sorts Atom and QFFormula, and new constants var(Xo) representing the 
variables Xq. It has, among other functions, a function sat : QFFormula — > Bool such 
that for 0, sat(cp) — T if 0 is £g-satisfiable, and sat(<p ) - ± otherwise. 

The process of computing the one-step rewrites of a given constrained term ( t ; < p) 
under is decomposed into two conceptual steps using Maude’s metalevel. First, 
all possible triples ( m ; 0 ; 0 ) such that t — u is witnessed by a matching substitution 
9 and a rule with constraint 0 are computed 1 . Second, these triples are filtered out by 
keeping only those for which the quantifier-free formula p A cf>6 is £7-satisfiable. 

The first step in the process is mechanized by function next, available from the 
parametrized module NEXTCR, State, QFFormula ) where R, State, and QFFormula 
are the metalevel representations, respectively, of the rewrite theory module R , the state 
sort State , and the quantifier-free formula sort QFFormula. Function next uses Maude’s 
meta-match function and the auxiliary function new-vars for computing fresh variables 
(see Section 4). In particular, the call next(((S, <, F W var(X 0 )), E 0 i±l Bq W B\,R°)~t,p) 
computes all possible triples (u ; 9 ' ; (/>') such that t u is witnessed by a substitution 
9' and a rule with constraint 0'. More precisely, such a call first computes a renaming 
£ — fresh-vars(vars(t, p)) and then, for each mle(/° — > r if 0), it uses the function meta- 
match to obtain a substitution 9 e meta-match({(S , <, F tel var(X 0 )), B 0 W BQ, fJ,E 0 /s 0 tiiBi , /°f), 
and returns {u;0' ; <p') with u = r£9, 9' = 0 9 , and 0' = 0(f$. Note that by having a 
deterministic choice of fresh variables (including those in the constraint), function next 
is actually a deterministic function. 

Using the above-mentioned infrastructure, the parametrized module NEXT imple- 
ments the symbolic rewrite relation as a standard rewrite relation, extending 
META-LEVEL, by means of the following conditional rewrite rule: 

ceq ( X.State ; p'.QFFormula) — > ( Y'.State ; p ’.QFFormula) 
if (Y ; 9 ; 0) S := next(R’,X, p) A sat(p A 0) = T A p := p A 0 

where R * = ((S, <, F W var(X o)), B, R°). Therefore, a call to an external SMT solver is 
just an invocation of the function sat in SATCLo, Eq i±i Bq) in order to achieve the above 


1 Note that in u[‘R : I variables in Xo are interpreted as constants. Therefore, the number of matching 
substitutions 8 thus obtained is finite. 
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functionality more efficiently and in a built-in way. 

Given that the symbolic rewrite relation is encoded as a standard rewrite re- 
lation, symbolic search can be directly implemented in Maude by its search command. 
In particular, for terms t,u°, constraints <p\,<p2, F a variable of sort QFFormula, the 
following invocation solves the inductive reachability problem in Condition (2): 

search (t',ip\) — (u° \F) such that sat(F A ^2)- 

6. Analysis of the CASH algorithm 

This section presents an example, developed jointly with Kyungmin Bae, of a real- 
time system that can be symbolically analyzed in the prototype tool described in Sec- 
tion 5. The analysis applies model checking based on rewriting modulo SMT. Some 
details are omitted. Full details and the prototype tool can be found in [9], 

The example involves the symbolic analysis of the CASH scheduling algorithm [13], 
which attempts to maximize system performance while guaranteeing that critical tasks 
are executed in a timely manner. This is achieved by maintaining a queue of un- 
used execution budgets that can be reused by other jobs to maximize processor uti- 
lization. CASH poses non-trivial modeling and analysis challenges because it contains 
an unbounded queue. Unbounded data types cannot be modeled in timed -automata for- 
malisms, such as those of UPPAAL [27] or Kronos [48], which assume a finite discrete 
state. 

The CASH algorithm was specified and analyzed in Real-Time Maude by explicit- 
state model checking in an earlier paper by Olveczky and Caccamo [36], which showed 
that, under certain variations on both the assumptions and the design of the protocol, 
it could miss deadlines. Explicit-state model checking has intrinsic limitations which 
the new analysis by rewriting modulo SMT presented below overcomes. The CASH 
algorithm is parametrized by: (i) the number N of servers in the system, and (ii) the 
values of a maximum budget h, and period /?,, for each server 1 < i < N. Even if 
N is fixed, there are infinitely many initial states for N servers, since the maximum 
budgets bj and periods p, range over the natural numbers. Therefore, explicit state 
model checking cannot perform a full analysis. If a counterexample for N servers 
exists, it may be found by explicit-state model checking for some chosen initial states, 
as done in [37], but it could be missed if the wrong initial states are chosen. 

Rewriting modulo SMT is useful for symbolically analyzing infinite-state systems 
like CASH. Infinite sets of states are symbolically described by terms which may in- 
volve user-definable data structures such as queues, but whose only variables range 
over decidable types for which an SMT solving procedure is available. For the CASH 
algorithm, the built-in data types used are the Booleans (sort iBool) and the integers 
(sort ilnt). Integer built-in terms are used to model discrete time. Boolean built-in 
terms are used to impose constraints on integers. 

A symbolic state is a pair {iB , Cnf} of sort Sys consisting of a Boolean constraint 
iB, with and denoted ", and a multiset configuration of objects Cnf, with multiset 
union denoted by juxtaposition, where each object is a record like-structure with an 
object identifier, a class name, and a set of attribute-value pairs. In each object config- 
uration there is a global object (of class global) that models the time of the system 
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(with attribute name time), the priority queue (with attribute name cq), the availabil- 
ity (with attribute name available), and a deadline missed flag (with attribute name 
deadline-miss). A configuration can also contain any number of server objects (of 
class server). Each server object models the maximum budget (the maximum time 
within which a given job will be finished, with attribute name maxBudget), period 
(with attribute name period), internal state (with attribute name state), time exe- 
cuted (with attribute name timeExecuted), budget time used (with attribute name 
usedOfBudget), and time to deadline (with attribute name timeToDeadline). The 
symbolic transitions of CASH are specified by 14 conditional rewrite rules whose con- 
ditions specify constraints solvable by the SMT decision procedure. For example, rule 
[deadlineMiss] below models the detection of a deadline miss for a server with 
non-zero maximum budget. 


vars AtSG AtS : AttributeSet . var iB : iBool . var Cnf : Configuration . 

vars iT iT” iNZT : ilnt . var St : ServerState . vars G S : Oid . var B : Bool . 

crl [deadlineMiss] : 

{ iB, < G : global | dead-miss | -> B, AtSG > 

< S : server | state | -> St, usedOfBudget | -> iT, timeToDeadline | -> iT’, 

maxBudget | -> iNZT, AtS > Cnf } 

=> {iB A iT >= c(0) A iNZT > c(Q) A iT’ > c(Q) A iNZT > iT + iT’, 

< G : global | dead-miss | -> true, AtSG > 

< S : server | state | -> St, usedOfBudget | -> iT, timeToDeadline | -> iT’, 

maxBudget | -> iNZT, AtS > Cnf } 

if St =/= idle /\ check-sat(iB A iT >= c(0) A iNZT > c(Q) A iT’ > c(0) A iNZT > iT + iT’) . 

That is, the protocol misses a deadline for server S whenever the value of attribute 
maxBudget exceeds the addition of values for usedOfBudget and timeToDeadline 
(i.e., iNZT > iT + iT’) , so that the allocated execution time cannot be exhausted 
before the server’s deadline. 

The goal is to verify symbolically the existence of missed deadlines of the CASH 
algorithm for the infinite set of initial configurations containing two server objects sq 
and si with maximum budgets bo and b\ and periods po and p\ as unspecified natural 
numbers, and such that each server’s maximum budget is strictly smaller than its period 
(i.e., 0 < bo < Po A 0 < b\ < p\). This infinite set of initial states is specified 
symbolically by the equational definition (not shown) of term symbinit. Maude’s 
search command can then be used to symbolically check if there is a reachable state 
for any ground instance of symbinit that misses the deadline: 


search in SYMBOLIC- FAILURE : symbinit =>* 

{ iB: iBool, Cnf : Configuration < g : global | AtS: AttributeSet, deadline-miss | -> true > } . 
Solution 1 (state 233) 

states: 234 rewrites: 60517 in 2865ms cpu (2865ms real) (21118 rewrites/second) 
iB: iBool — > ((i(0) <= c(0) A i(l) <= c(0)) v i(0) <= c(Q) + i(l) A ... 

Cnf Configuration — > 

< si : server | maxBudget |-> i(0), period | -> i(l), state | -> waiting, usedOfBudget |-> c(0), 

timeToDeadline | -> ((i(l) -- c(l)) — c(l)), timeExecuted | -> c(0) > 

< s2 : server | maxBudget |-> i(2), period | -> i(3), state | -> executing, usedOfBudget | -> c(2), 

timeToDeadline | -> ((i(3) -- c(l)) — c(l)), timeExecuted | -> c(2) > 

AtS: AttributeSet — > time |-> c(2), cq | -> emptyQueue, available | -> false 


A counterexample is found at (modeling) time two, after exploring 233 symbolic 
states in less than 3 seconds. By using a satisfiability witness of the constraint iB 
computed by the search command, a concrete counterexample is found by exploring 
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only 54 ground states. This result compares favorably, in both time and computa- 
tional resources, with the ground counterexample found by explicit-state model check- 
ing in [36], where more that 52,000 concrete states were explored before finding a 
counterexample. 

7. Symbolic Reachability Analysis for PLEXIL Modulo Integer Constraints 

Synchronous languages were introduced in the 1980s to program reactive sys- 
tems , i.e., open systems whose behavior is determined by their continuous reaction 
to the environment where they are deployed. The Plan Execution Interchange Lan- 
guage (PLEXIL) [20] is a synchronous language developed by NASA to support 
autonomous spacecraft operations. Given the safety-critical nature of spacecraft op- 
erations, PLEXIL’s operational semantics has been formally defined [17] and several 
properties of the language, such as determinism and compositionality, have been me- 
chanically verified [16] in the Prototype Verification System (PVS) [38]. A rewriting 
logic semantics of PLEXIL [18] has been developed in Maude and has been used, 
within a formal interactive verification environment [41], to validate the intended se- 
mantics of the language against a wide variety of plan examples. 

PLEXIL programs define reactive systems that interact with an external environ- 
ment of sensors and actuators. Such programs are deterministic by assuming a given 
concrete value for each of the sensors that the reactive system interacts with. Therefore, 
to execute by standard rewriting the rewriting logic semantics in [18] (and perform vari- 
ous kinds of reachability analysis verification in Maude using such rewriting), concrete 
values of the data in sensors had to be assumed for the reactive interactions. Since, in 
general, the possible tuples of such values can be infinite or (assuming finite arithmetic 
precision) extremely large, the concrete executions and formal analyses allowed by 
the concrete rewriting semantics had to be necessarily incomplete. This is analogous 
to the incompleteness of simulating and analyzing the CASH algorithm example in 
Real-Time Maude, versus the complete analysis by rewriting modulo SMT presented 
in Section 6. Using rewriting modulo SMT, a complete rewriting logic semantics that 
can symbolically cover all possible values in an external environment has been defined 
for PLEXIL in [40], 

This section presents a case study overview on the symbolic analysis of reachability 
properties for a large subset of the PLEXIL language based on rewriting modulo SMT, 
which extends and complements the rewriting logic semantics of the language. Such an 
analysis is able to automatically detect reachability violations on input plans where the 
values of external variables can be left unspecified, a task that is impossible to achieve 
with the ground rewriting logic semantics of the language. 

7.1. PLEXIL Overview 

This section presents an overview of PLEXIL; the reader is referred to [20] for a 
detailed description of the language. 

A PLEXIL program, called a plan, is a tree of nodes representing a hierarchical 
decomposition of tasks. Interior nodes, called list nodes , provide control structure 
and naming scope for local variables. The primitive actions of a plan are specified 
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in the leaf nodes. Leaf nodes can be assignment nodes , which assign values to local 
variables, command nodes , which call external commands, or empty nodes, which do 
nothing. PLEXIL plans interact with a functional layer that provides the interface 
with the external environment. This functional layer executes the external commands 
and communicates the status and result of their execution to the plan through external 
variables. 

Nodes have an execution state, which can be inactive, waiting, executing, iterationend, 
failing, finishing, or finished, and an execution outcome, which can be unknown, skipped, 
success, or failure. They can declare local variables that are accessible to the node in 
which they are declared and all its descendants. In contrast to local variables, the ex- 
ecution state and outcome of a node are visible to all nodes in the plan. Assignment 
nodes also have a priority, which is used to solve race conditions. The internal state 
of a node consists of the current values of its execution state, execution outcome, and 
local variables. 

Each node is equipped with a set of gate conditions and check conditions that gov- 
ern the execution of a plan. Gate conditions provide control flow mechanisms that react 
to external events. In particular, the start condition specifies when a node starts its exe- 
cution, the end condition specifies when a node ends its execution, the repeat condition 
specifies when a node can repeat its execution, and the skip condition specifies when 
the execution of a node can be skipped. Check conditions are used to signal abnor- 
mal execution states of a node and they can be either pre-condition, post-condition, or 
invariant conditions. The language includes Boolean, integer and floating-point arith- 
metic, and string expressions. It also includes lookup expressions that read the value 
of external variables provided to the plan through the executive. Expressions appear 
in conditions, assignments, and arguments of commands. Each of the basic types is 
extended by a special value unknown that can result, for example, when a lookup fails. 

The execution of a plan in PLEXIL is driven by external events from the environ- 
ment that trigger changes in the gate conditions. All nodes affected by a change in a 
gate condition synchronously respond to the event by modifying their internal state. 
These internal modifications may trigger more changes in gate conditions that in turn 
are synchronously processed until quiescence is reached for all nodes involved. Exter- 
nal events are considered in the order in which they are received. An external event 
and all its cascading effects are processed before the next event is considered. This 
behavior is known as run-to-completion semantics. 

The atomic relation describes the execution of an individual node in terms of state 
transitions triggered by changes in the environment. The micro relation describes the 
synchronous reduction of the atomic relation with respect to the maximal redexes strat- 
egy, i.e., the synchronous application of the atomic relation to the maximal set of nodes 
of a plan. The remaining three relations are the quiescence relation, the macro relation, 
and the execution relation that describe, respectively, the reduction of the micro rela- 
tion until normalization, the interaction of a plan with the external environment upon 
one external event, and the «- iteration of the macro relation corresponding to n time 
steps. Figure 1 depicts the transition diagram defining PLEXIL’s atomic transitions for 
lists in state executing. 

Since local variables declared in a node are shared by its children nodes, it may be 
possible that two nodes attempt to synchronously write the same variable. The priority 
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Figure 1 : Atomic transitions for list nodes in state executing. 
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Figure 2: A parallel assignment with a potential race condition. 


mechanism included in the semantics of PLEXIL can be used by programmers to deal 
with this problem. Unfortunately, priorities are optional and, in practice, race condi- 
tions may occur during the execution of a PLEXIL program. For instance, consider the 
plan AssignWithConflig in Figure 2. This plan has one list node and two assignment 
nodes, NonNeg and NonPos. It declares a local integer memory x and interacts with 
the external environment via the integer variable S. Note that depending on the value 
of S, the assignment nodes NonNeg and NonPos may or may not start execution, and a 
race condition can happen on x when the value of S is 0. With the symbolic semantics 
presented in this section, the race condition on x can be automatically detected. 

7.2. Symbolic Detection of Race Conditions 

Detection of race conditions on local memories and violation of node invariants 
are important in PLEXIL. As such, predicates for checking them are already available 
from the symbolic semantics. In particular, states predicates inv and race-free, 
which take an argument of sort NeQualified (i.e., the sort of node identifiers) are 
offered to the user. 

The intended semantics of the state predicates is with respect to the initial semantics 
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of PLEXIL. For example, consider the following definition of inv in the syntax of 
Maude model checker: 

eq ({ iB:Bool, 

< 0:NeQualified : C:Cid | inv | -> iB’:iBool, AtS:AttributeSet > 
Cnf: Configuration }) |= inv(0:NeQualified) 

= check-unsat(iB:iBool and 

not(eval(< 0:NeQualified : C:Cid | 

inv|-> iB':iBool, AtS:AttributeSet > Cnf, 
iB' :iBool))) . 

The invariant condition of node 0 represented by the Boolean expression iB ’ yields an 
invariant violation for 0 whenever the conjunction of the state’s constraint iB and the 
negation of iB’ is unsatisfiable. This precisely means that there is a ground counter- 
example state for the invariance of the node. 

Boolean and integer expressions can be evaluated ‘symbolically’ by means of func- 
tion eval, while function check-unsat implements the call to CVC3 : 

op eval : Configuration iBool -> iBool . 
op eval : Configuration ilnt -> ilnt . 
op check-unsat : iBool -> Bool . 

The evaluation of an expression by eval is given w.r.t. an object configuration and it 
is equationally defined recursively on the complexity of expressions. 

Recall the plan AssignWithConflict in Figure 2, which has a potential race con- 
dition for the local memory x. Assume that SPLX represents the symbolic rewriting 
logic semantics of PLEXIL, and let init be a configuration of objects representing an 
initial configuration for AssignWithConflict. Consider the following safety verifi- 
cation requirements: 

7splx> (c (true), init j [= mrace-free(x. AssignWithConflict), (3) 
Tsplx> U (®) >= c(l), initj [= mrace-free(x. AssignWithConflict), (4) 

Tsplx. U (®) >= c(l), init) [= □inv(AssignWithConflict). (5) 

The external variable S in AssignWithConflict is represented by the Boolean term 
i(0). Property (3) states that there is no race condition on memory x if i(0) has no 
initial constraints. Property (4) states that there is no race condition on memory x if 
i(0) is assumed to be at least 1. Property (5) states that the invariant condition of 
node AssignWithConflict holds if i (0) is assumed to be at least 1. Note that these 
properties are symbolic reachability requirements because of the nature of the external 
variable S. Also, the constrained terms defining the initial states in these properties 
represent, in each case, infinitely many initial states. 

By directly using Maude’s LTL Model Checker, property (3) can be disproved, and 
properties (4) and (5) can be proved automatically. 


reduce in ASSIGNWITHCONFLICT : 

verify-lite({c(true) , init}, [] race-free(x . AssignWithConflict)) . 
rewrites: 2590 in 525ms cpu (1629ms real) (4929 rewrites/second) 
result Bool: false 


reduce in ASSIGNWITHCONFLICT : 

verify-lite( { i(0) >= c(l), init}, [] race-free(x . AssignWithConflict)) . 
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rewrites: 2846 in 575ms cpu (614ms real) (4947 rewrites/second) 
result Bool: true 


reduce in ASSIGNWITHCONFLICT : 

verify-lite( {i(0) >= c(l), init}, [] inv(AssignWithConflict) . 
rewrites: 3191 in 576ms cpu (702ms real) (5534 rewrites/second) 
result Bool: true 


Function verify-lite is a wrapper to Maude’s LTL Model Checker function 
raodelCheck. This mapping outputs either true or false, depending on the output of 
the model checker function, omitting a counterexample if any. 


8. Related Work and Concluding Remarks 

The idea of combining term rewriting/narrowing techniques and constrained data 
structures is an active area of research, specially since the advent of modern theorem 
provers with highly efficient decision procedures in the form of SMT solvers. The 
overall aim of these techniques is to advance applicability of methods in symbolic 
verification where the constraints are expressed in some logic that has an efficient de- 
cision procedure. In particular, the work presented here has strong similarities with the 
narrowing-based symbolic analysis of rewrite theories initiated in [31] and extended 
in [8], The main difference is the replacement of narrowing by SMT solving and the 
decidability advantages of SMT for constraint solving. 

M. Ayala-Rincon [5] investigates, in the setting of many-sorted equational logic, 
the expressiveness of conditional equational systems whose conditions may use built- 
in predicates. This class of equational theories is important because the combination 
of equational and built-in premises yield a type of clauses which is more expressive 
than purely conditional equations. Rewriting notions like confluence, termination, and 
critical pairs are also investigated. S. Falke and D. Kapur [21] studied the problem 
of termination of rewriting with constrained built-ins. In particular, they extended the 
dependency pairs framework to handle termination of equational specifications with se- 
mantic data structures and evaluation strategies in the Maude functional sublanguage. 
The same authors used the idea of combining rewriting induction and linear arithmetic 
over constrained terms [22], Their aim is to obtain equational decision procedures that 
can handle semantic data types represented by the constrained built-ins. H. Kirchner 
and C. Ringeissen proposed the notion of constrained rewriting and have used it by 
combining symbolic constraint solvers [25]. The main difference between their work 
and rewriting modulo SMT presented in this paper is that the former uses narrowing for 
symbolic execution, both at the symbolic ‘pattern matching’ and the constraint solving 
levels. In contrast, rewriting modulo SMT solves the symbolic pattern matching task 
by rewriting while constraint solving is delegated to an SMT decision procedure. More 
recently, C. Kop and N. Nishida [26] have proposed a way to unify the ideas regarding 
equational rewriting with logical constraints. More generally, while the approaches 
in [5, 21, 22, 25, 26] address symbolic reasoning for equational theorem proving pur- 
poses, none of them addresses the kind of non-deterministic rewrite rules, which are 
needed for open system modeling. More recently, A. Arusoaie et al. [4] have proposed 
a language-independent symbolic execution framework, within the K framework [28], 
for languages endowed with a formal operational semantics based on term rewriting. 


20 



There, the built-in subtheories are the datatypes of a programming language and sym- 
bolic analysis is performed on constrained terms (called “patterns”); unification is also 
implemented by matching for a restricted class of rewrite rules and uses SMT solvers 
to check constraints. 

This paper has presented rewrite theories modulo built-ins and has shown how 
they can be used for symbolically modeling and analyzing concurrent open systems, 
where non-deterministic values from the environment can be represented by built-in 
terms [40, 42], In particular, the main contributions of this paper can be summarized 
as follows: (1) it presents rewriting modulo SMT as a new symbolic technique com- 
bining the powers of rewriting, SMT solving, and model checking; (2) this combined 
power can be applied to model and analyze systems outside the scope of each individ- 
ual technique; (3) in particular, it is ideally suited to model and analyze the challenging 
case of open systems ; and (4) because of its reflective reduction to standard rewriting, 
current algorithms and tools for model checking closed systems can be reused in this 
new symbolic setting without requiring any changes to their implementation. 

Under reasonable assumptions, including decidability of , a rewrite theory mod- 
ulo is executable by term rewriting modulo SMT. This feature makes it possible to use, 
for symbolic analysis, state-of-the-art tools already available for Maude, such as its 
space search commands, with no change whatsoever required to use such tools. We 
have proved that the symbolic rewrite relation is sound and complete with respect to its 
ground counterpart, have presented an overview of the prototype that offers support for 
rewriting modulo SMT in Maude, and have presented two case studies on the symbolic 
analysis of the CASH scheduling algorithm and the PLEXIL synchronous language 
illustrating the use of these techniques. 

Future work on a mature implementation and on extending the idea of rewriting 
modulo SMT with other symbolic constraint solving techniques such as narrowing 
modulo should be pursued. Also, the extension to other symbolic LTL model check- 
ing properties, together with state space reduction techniques, should be investigated. 
Further applications to Real-Time Maude, PLEXIL, and other languages should also 
be pursued. 
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